Additional roles/attributes of authenticated users

Hello,

I’m new to PrivacyIDEA, in fact still trying to figure out if it can be used for my purposes.

My authentication via sqlresolver works fine. I need to provide the authenticating system - via API and PHP lib - additional information about the authenticated user, so (s)he can be assigned proper roles or permissions in the authenticating system.

Therefore, I need to assign roles (or attributes, or whatever) that are not just admin and user roles supported by the PrivacyIDEA UI. Instead, a user could have, for example, system1_admin, system2_admin, system3_user, etc. That information should be made available to the authenticating system to properly restrict what a user can do on those systems.

I’ve played with roles, events and tokens with no success, but this is so new to me that I’m certainly missing something.

All help will be much appreciated.

Regards,

Andre

Hello Andre,

welcome to privacyIDEA.
This is an interesting and important question.

The applications have to take care of the authorization. privacyIDEA can only provide information about the user, give this information to the application and have the application decide, what to do.
So after all, you could use any user attribute to do so. To add further user attributes (like admin_level being “system2_admin”), you need to tweek your user resolver.
You could also use custom user attributes (introduced in 3.6)

Then you can use this policy
https://privacyidea.readthedocs.io/en/latest/policies/authorization.html#add-user-in-response
to add these user attributes in the response.

Regards
Cornelius

Thank you for the response. I’ll give it a try and update this topic appropriately. I appreciate the directions given for me to follow.

It works nice and easy.

Thank you!

1 Like